Summary of the invention
The embodiment of the present invention provides a kind of method and the device that detect SQL injection loophole, in order to improve the Detection accuracy of time type SQL injection loophole, and reduces the operating load of web application vulnerability scanning system when detecting.
The concrete technical scheme that the embodiment of the present invention provides is as follows:
Detect a method for SQL injection loophole, comprising:
Determine target to be measured, and according to the first time delay instruction comprised in selected delay matrix and the second time delay instruction, generate a SQL vector of attack and the 2nd SQL vector of attack respectively;
For target to be measured, send a SQL vector of attack and the 2nd SQL vector of attack successively, and recording responses matrix, record the first response time of a corresponding SQL vector of attack in described response matrix respectively, and the second response time of corresponding 2nd SQL vector of attack;
Calculate the similarity of described delay matrix and described response matrix, when determining that described similarity reaches setting threshold, it is determined that the presence of time type SQL injection loophole.
Like this, the similarity that can calculate according to the delay time expected in the response time of reality and vector of attack carries out the judgement whether leak exists.For the vector of attack using delay function, do not need to re-use longer delay time, do not need to consider that whether actual delay time is consistent with the delay time expected yet; For using the vector of attack repeating feature expression, do not need the time difference considering that different target single performs.And, because within the close moment, the web influence that is subject to of response time is basically identical, when delay time and the similarity of actual response time of calculation expectation, close amplitude of variation can not cause conclusive impact to the result of calculation of similarity, so can not there is the accuracy judged by shadow leak.Therefore, can ensure under different network condition and different targeted environment, program can detect time-based SQL injection loophole fast and accurately, meanwhile, also effectively reduces the operating load judging that SQL injection loophole brings to web application vulnerability scanning system.
Preferably, during described first time delay instruction and the second time delay indicate, directly have recorded the delay duration needing to perform, or, have recorded the factor of influence that representation feature expression formula repeats number of times, indirectly to indicate delay duration.
Preferably, for target to be measured, send a SQL vector of attack and the 2nd SQL vector of attack successively, comprising:
Based on Object linking and the object to be detected of described object representation to be measured, and based on a described SQL vector of attack and the 2nd SQL vector of attack, generate the first query-attack and the second query-attack respectively;
Sending described first query-attack and the second query-attack to described target to be measured successively, wherein, when receiving the response of described first query-attack, then sending described second query-attack.
Preferably, after recording described response matrix, before the similarity calculating described delay matrix and described response matrix, comprise further:
Indicate the delay duration characterized to compare described second response time and described second time delay, if determine, described second response time is the integral multiple that described second time delay indicates the delay duration characterized, then judge that can perform similarity judges; Wherein, the delay duration that the second time delay instruction is corresponding is greater than delay duration corresponding to the first time delay instruction.
Preferably, comprise further:
If determine, described second response time is not the integral multiple of the delay duration of described second time delay instruction sign, then judge not life period type SQL injection loophole.
Preferably, calculate the similarity of described delay matrix and described response matrix, comprising:
Adopt the similarity of delay matrix and response matrix described in following formulae discovery:
Wherein, t
0represent the first time delay instruction, t
1represent the second time delay instruction, r
0represent the first response time of a corresponding SQL vector of attack record, r
1represent the second response time of corresponding 2nd SQL vector of attack record.
Detect a device for SQL injection loophole, comprising:
Generation unit, for determining target to be measured, and according to the first time delay instruction comprised in selected delay matrix and the second time delay instruction, generates a SQL vector of attack and the 2nd SQL vector of attack respectively;
Communication unit, for for target to be measured, send a SQL vector of attack and the 2nd SQL vector of attack successively, and recording responses matrix, the first response time of a corresponding SQL vector of attack is recorded respectively in described response matrix, and the second response time of corresponding 2nd SQL vector of attack;
Identifying unit, for calculating the similarity of described delay matrix and described response matrix, when determining that described similarity reaches setting threshold, it is determined that the presence of time type SQL injection loophole.
Like this, the similarity that can calculate according to the delay time expected in the response time of reality and vector of attack carries out the judgement whether leak exists.For the vector of attack using delay function, do not need to re-use longer delay time, do not need to consider that whether actual delay time is consistent with the delay time expected yet; For using the vector of attack repeating feature expression, do not need the time difference considering that different target single performs.And, because within the close moment, the web influence that is subject to of response time is basically identical, when delay time and the similarity of actual response time of calculation expectation, close amplitude of variation can not cause conclusive impact to the result of calculation of similarity, so can not there is the accuracy judged by shadow leak.Therefore, can ensure under different network condition and different targeted environment, program can detect time-based SQL injection loophole fast and accurately, meanwhile, also effectively reduces the operating load judging that SQL injection loophole brings to web application vulnerability scanning system.
Preferably, during the described first time delay instruction that described generation unit is selected and the second time delay indicate, directly have recorded the delay duration needing to perform, or, have recorded the factor of influence that representation feature expression formula repeats number of times, indirectly to indicate delay duration.
Preferably, for target to be measured, when sending a SQL vector of attack and the 2nd SQL vector of attack successively, described communication unit is used for:
Based on Object linking and the object to be detected of described object representation to be measured, and based on a described SQL vector of attack and the 2nd SQL vector of attack, generate the first query-attack and the second query-attack respectively;
Sending described first query-attack and the second query-attack to described target to be measured successively, wherein, when receiving the response of described first query-attack, then sending described second query-attack.
Preferably, after recording described response matrix, before the similarity calculating described delay matrix and described response matrix, described identifying unit is further used for:
Indicate the delay duration characterized to compare described second response time and described second time delay, if determine, described second response time is the integral multiple that described second time delay indicates the delay duration characterized, then judge that can perform similarity judges; Wherein, the delay duration that the second time delay instruction is corresponding is greater than delay duration corresponding to the first time delay instruction.
Preferably, described identifying unit is further used for:
If determine, described second response time is not the integral multiple of the delay duration of described second time delay instruction sign, then judge not life period type SQL injection loophole.
Preferably, when calculating the similarity of described delay matrix and described response matrix, described identifying unit is used for:
Adopt the similarity of delay matrix and response matrix described in following formulae discovery:
Wherein, t
0represent the first time delay instruction, t
1represent the second time delay instruction, r
0represent the first response time of a corresponding SQL vector of attack record, r
1represent the second response time of corresponding 2nd SQL vector of attack record.
Embodiment
The present invention is in order to solve the problem, and make it possible to be detected that by program the SQL based on time type injects automatically, fast and accurately, the SQL time proposing a kind of environment self-adaption injects detection method.The method is: successively send the SQL vector of attack carrying time delay instruction for twice, record the corresponding response time more respectively, then, calculate the similarity between the delay matrix of two SQL vector of attack compositions and the response matrix of two response time compositions, after determining that similarity reaches threshold value, it is determined that the presence of time type SQL injection loophole.
Below in conjunction with accompanying drawing, the preferred embodiment of the present invention is described in detail.
In the embodiment of the present invention, in order to adapt to different network conditions and different targeted environment, the SQL time devising an environment self-adaption injects detection method, and consult shown in Fig. 1, concrete steps are as follows:
Step 100: determine target to be measured, and according to the first time delay instruction comprised in selected delay matrix and the second time delay instruction, generate a SQL vector of attack and the 2nd SQL vector of attack respectively.
Concrete, in the embodiment of the present application, web crawlers technology can be adopted, obtain Object linking to be detected and parameter to be detected, so-called parameter to be detected, can be the parameter in Object linking to be detected, can be the parameter in HTTP request head, also can be parameter in the postdata of the HTTP request of POST type etc.There is not SQL in order to ensure parameter place to be detected to inject, in the present embodiment, need to detect for each parameter to be detected, therefore, the target to be measured described in step 100 refers to a parameter to be detected of Object linking.
Then, choose delay matrix, be designated as T=[t
0, t
1]
t, the constructing SQL time injects and detects general vector of attack (i.e. SQL vector of attack) time_inj_F (T), and concrete, vector of attack matrix is as follows:
time_inj_F(T)=[time_inj_F(t
0),time_inj_F(t
1)]
T
Wherein, time_inj_F () represent choose for detecting the function that the SQL time injects, t
irepresent time delay instruction, as: t
0represent the first time delay instruction that a SQL vector of attack uses, t
1represent the second time delay instruction that the 2nd SQL vector of attack uses; Wherein, so-called time delay instruction can adopt two kinds of implementations:
The first implementation is: have recorded the delay duration (namely directly have recorded the value of delay duration) needing to perform in time delay instruction;
The second implementation is: time delay instruction have recorded the factor of influence (namely indirectly indicating the value of delay duration) that representation feature expression formula repeats number of times.
Under the second implementation, program inside is provided with the feature expression of specifying, when carrying out SQL attack, only need to arrange the factor of influence (as: 2) repeating number of times, then the inner setting coefficient that factor of influence can be multiplied by of program obtains repeating number of times, as: 2 × 10000=20000 time, so destination server is when performing database query statement, the feature expression of specifying can perform by database above-mentionedly repeat number of times, thus phase delay in time when causing destination server to return response contents.
Obviously, no matter be adopt the first implementation, or adopt the second implementation, time delay instruction all can characterize the delay duration (directly characterize or indirectly characterize) of a setting
Such as, when time_inj_F () is chosen as the delay function such as sleep () or delay () time, t
ibe exactly the duration of expected data storehouse time delay, in seconds; When being chosen as the functions such as banchmark (), t
ibe exactly the factor of influence that desired character expression formula is repeatedly executed number of times, i=0,1.
Under normal circumstances, t
0, t
1different, preferably.T
i∈ 1,2}, in seconds, that is, t
0=1 second, t
1=2 seconds.
Step 110: for target to be measured, send a SQL vector of attack and the 2nd SQL vector of attack successively, and recording responses matrix, record the first response time of a corresponding SQL vector of attack in this response matrix respectively, and the second response time of corresponding 2nd SQL vector of attack.
Preferably, when performing step 110, based on the Object linking of object representation to be measured and object to be detected, and based on a SQL vector of attack and the 2nd SQL vector of attack, the first query-attack and the second query-attack can be generated respectively, then, the first query-attack and the second query-attack is sent successively, wherein, optionally to target to be measured, when receiving the response of the first query-attack, then send the second query-attack.
Concrete, when performing step 110, can according to current Object linking to be detected and object to be detected, the query-attack Q (T) of structure containing vector of attack time_inj_F (T), concrete, query-attack matrix is as follows:
Q(T)=[Q(t
0),Q(t
1)]
T
Wherein, Q (t
i) and time_inj_F (t
i) one_to_one corresponding, i=0,1; Namely Q (t is represented
0) be corresponding time_inj_F (t
0) query-attack, Q (t
1) be corresponding time_inj_F (t
1) query-attack, concrete, send query-attack time Q (T), according to i=0, the order of 1 sends successively.
Further, the corresponding query-attack sent, records corresponding first response time and the second response time respectively, concrete, response matrix is designated as R:R=[r
0, r
1]
t, also can be designated as R=D (T)+Δ T, wherein, r
0represent the first response time of a corresponding SQL vector of attack record, r
1represent the second response time of corresponding 2nd SQL vector of attack record, D (T) representative performs the consuming time of time_inj_F (T) vector of attack, D (T)=[D (t
0), D (t
1)]
t, Δ T is made up of response time of raw requests and wave time two parts affected by environment, Δ T=[Δ t
0, Δ t
1]
t.Therefore, can obtain:
Step 120: the similarity calculating above-mentioned delay matrix and response matrix, when determining that this similarity reaches setting threshold, it is determined that the presence of time type SQL injection loophole.
Preferably, before calculating similarity, can first round the second response time, and calculate whether the second response time was the integral multiple that the second time delay indicates the delay duration characterized, if so, then determine to carry out follow-up Similarity Measure, otherwise, judge not life period type SQL injection loophole.
Such as, to r
1round, be designated as round (r
1), and judge round (r
1) whether be t
1integral multiple, if so, then continue to perform follow-up Similarity Measure, otherwise, not think that there is the SQL time injects.
Concrete, the similarity of delay matrix and response matrix is designated as S, preferably, S can be calculated in the following ways:
In the embodiment of the present invention; because the transmission interval of a SQL vector of attack and the 2nd SQL vector of attack is very short; within the so short time; the impact that Twice requests is subject to change of network environment is basically identical; in other words; the fluctuation that first response time and the second response time are subject to home impact and produce, can not exert a decisive influence to the calculating of similarity.So Δ T is very little on the similarity S impact calculated in computational process, has:
On the other hand, once the response time is really subject to abnormal environment impact and fluctuates, so, Δ T will be very large on the similarity S impact calculated in computational process, and S ≈ 1 will no longer set up.Therefore, consider the fluctuation of environmental impact under normal circumstances, in the present embodiment, preferably, judge that the SQL time injects the similarity threshold whether existed and is set to 0.999 by being used for, that is: if similarity S > 0.999, then think that there is the SQL time injects, i.e. life period type SQL injection loophole; Otherwise, not think that there is the SQL time injects, i.e. not life period type SQL injection loophole.Certainly, the calculating formula of similarity adopted in the present embodiment and corresponding threshold value are only citing, and according to different applied environments, the setting of computing formula, threshold value and indicative character value all can carry out adaptive flexible adjustment, do not repeat them here.
Consult shown in Fig. 2, the complete application flow process of above-described embodiment is as follows:
Step 200: obtain Object linking to be detected and corresponding parameter to be detected.
In the present embodiment, for a parameter to be detected.
Step 201: the constructing SQL time injects general vector of attack time_inj_F (t
i), i=0,1.
Step 202: the request Q (t of structure containing vector of attack
i), i=0,1.
Step 203: according to i=0, the order of 1 sends request Q (t successively
i), and remember that the response time is r
i.
Step 204: to response time r
1round, be designated as round (r
1).
Step 205: judge round (r
1) whether be t
1integral multiple? if so, then step 207 is performed; Otherwise, perform step 206.
Step 206: judge that there is not the SQL time injects, i.e. not life period type SQL injection loophole, flow process terminates.
Step 207: calculate [t
0, t
1]
twith [r
0, r
1]
tsimilarity S.
Step 208: judge that the value of S is greater than 0.999? if so, then step 209 is performed; Otherwise, perform step 206.
Step 209: it is determined that the presence of the SQL time injects, i.e. life period type SQL injection loophole, flow process terminates.
It can thus be appreciated that, in the embodiment of the present invention, successively send the SQL vector of attack carrying different delayed time instruction for twice at short notice, namely the time delay instruction of carrying for twice can regard expectation delay time as, then, record twice and send the SQL vector of attack response time separately, then, the similarity of response matrix calculating the delay matrix that is made up of twice SQL vector of attack and be made up of twice response time.Because the fluctuation change of network environment is at short notice basically identical on the impact of the response of Twice requests, therefore, if expect that delay time is similar with actual response time, then illustrate that Object linking exists the SQL time and injects, because destination server performs time delay instruction, be delayed corresponding duration.
Under the present embodiment is suitable for different network conditions and different targeted environment, no matter use contains the vector of attack of any functions such as sleep (), delay (), banchmark (), can both detect time-based SQL injection loophole fast and accurately.
Consult shown in Fig. 3, in the embodiment of the present invention, checkout gear comprises generation unit 30, communication unit 31 and identifying unit 32, wherein,
Generation unit 30, for determining target to be measured, and according to the first time delay instruction comprised in selected delay matrix and the second time delay instruction, generates a SQL vector of attack and the 2nd SQL vector of attack respectively
Communication unit 31, for for target to be measured, send a SQL vector of attack and the 2nd SQL vector of attack successively, and recording responses matrix, the first response time of a corresponding SQL vector of attack is recorded respectively in response matrix, and the second response time of corresponding 2nd SQL vector of attack;
Identifying unit 32, for the similarity of computation delay matrix and response matrix, when determining that similarity reaches setting threshold, it is determined that the presence of time type SQL injection loophole.
Preferably, during the first time delay instruction that generation unit 30 is selected and the second time delay indicate, directly have recorded the delay duration needing to perform, or, have recorded the factor of influence that representation feature expression formula repeats number of times, indirectly to indicate delay duration.
Preferably, for target to be measured, successively send a SQL vector of attack and the 2nd SQL vector of attack time, communication unit 31 for:
Based on Object linking and the object to be detected of object representation to be measured, and based on a SQL vector of attack and the 2nd SQL vector of attack, generate the first query-attack and the second query-attack respectively;
Sending the first query-attack and the second query-attack to target to be measured successively, wherein, when receiving the response of the first query-attack, then sending the second query-attack.
Preferably, after recording responses matrix, before the similarity of computation delay matrix and response matrix, identifying unit 32 is further used for:
Indicate the delay duration characterized to compare the second response time and the second time delay, if determine, the second response time was the integral multiple that the second time delay indicates the delay duration characterized, then judge that can perform similarity judges; Wherein, the delay duration that the second time delay instruction is corresponding is greater than delay duration corresponding to the first time delay instruction.
Preferably, identifying unit 32 is further used for:
If determine, the second response time was not the integral multiple that the second time delay indicates the delay duration characterized, then judge not life period type SQL injection loophole.
Preferably, during the similarity of computation delay matrix and response matrix, identifying unit 32 for:
Adopt the similarity of following formulae discovery delay matrix and response matrix:
Wherein, t
0represent the first time delay instruction, t
1represent the second time delay instruction, r
0represent the first response time of a corresponding SQL vector of attack record, r
1represent the second response time of corresponding 2nd SQL vector of attack record.
In sum, in the embodiment of the present invention, the response time of no longer going to estimate when supposition leak exists by a large amount of data is interval, but carries out according to the similarity that the delay time expected in response time of reality and vector of attack calculates the judgement whether leak exist.For the vector of attack using delay function, do not need to re-use longer delay time, do not need to consider that whether actual delay time is consistent with the delay time expected yet; For using the vector of attack repeating feature expression, do not need the time difference considering that different target single performs.And, because within the close moment, the web influence that is subject to of response time is basically identical, when delay time and the similarity of actual response time of calculation expectation, close amplitude of variation can not cause conclusive impact to the result of calculation of similarity, so can not there is the accuracy judged by shadow leak.Therefore, can ensure under different network condition and different targeted environment, program can detect time-based SQL injection loophole fast and accurately, meanwhile, also effectively reduces the operating load judging that SQL injection loophole brings to web application vulnerability scanning system.
In addition, the scheme that the embodiment of the present invention provides has the following advantages:
1) going to assess current network condition without the need to obtaining mass data, simplifying operating procedure.
2) without the need to sending a large amount of acquisition request data, therefore, can not pose a big pressure to destination server website when how concurrent, avoiding stock number to consume excessive.
3) interval without the need to designing the effective response time, avoid and the unreasonable and erroneous judgement that causes is set because of response time interval or fails to judge;
4) without the need to repeatedly using delay function to judge, the entirety greatly saving determination flow is consuming time.
Those skilled in the art should understand, embodiments of the invention can be provided as method, system or computer program.Therefore, the present invention can adopt the form of complete hardware embodiment, completely software implementation or the embodiment in conjunction with software and hardware aspect.And the present invention can adopt in one or more form wherein including the upper computer program implemented of computer-usable storage medium (including but not limited to magnetic disc store, CD-ROM, optical memory etc.) of computer usable program code.
The present invention describes with reference to according to the flow chart of the method for the embodiment of the present invention, equipment (system) and computer program and/or block diagram.Should understand can by the combination of the flow process in each flow process in computer program instructions realization flow figure and/or block diagram and/or square frame and flow chart and/or block diagram and/or square frame.These computer program instructions can being provided to the processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce a machine, making the instruction performed by the processor of computer or other programmable data processing device produce device for realizing the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.
These computer program instructions also can be stored in can in the computer-readable memory that works in a specific way of vectoring computer or other programmable data processing device, the instruction making to be stored in this computer-readable memory produces the manufacture comprising command device, and this command device realizes the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.
These computer program instructions also can be loaded in computer or other programmable data processing device, make on computer or other programmable devices, to perform sequence of operations step to produce computer implemented process, thus the instruction performed on computer or other programmable devices is provided for the step realizing the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.
Although describe the preferred embodiments of the present invention, those skilled in the art once obtain the basic creative concept of cicada, then can make other change and amendment to these embodiments.So claims are intended to be interpreted as comprising preferred embodiment and falling into all changes and the amendment of the scope of the invention.
Obviously, those skilled in the art can carry out various change and modification to the embodiment of the present invention and not depart from the spirit and scope of the embodiment of the present invention.Like this, if these amendments of the embodiment of the present invention and modification belong within the scope of the claims in the present invention and equivalent technologies thereof, then the present invention is also intended to comprise these change and modification.